From d9bb2d5b11268fe954125c793b7bc3e9caf0ec6a Mon Sep 17 00:00:00 2001
From: Nikias Bassen
Date: Wed, 17 Feb 2016 20:24:43 +0100
Subject: Fix possible invalid free in irecv_open_with_ecid()

irecv_open_with_ecid calls libusb_open() in a loop. When the operation
fails libusb_close() is called with the returned handle - which ideally
should be NULL upon calling libusb_open(). However since we're operating
in a loop this is only the case for the first time libusb_open() is called
and subsequent invocations only overwrite the handle upon success.
Whenever the libusb_open() fails and it is not the first invocation, the
libusb_close() that is called afterwards may cause an invalid free.
To prevent this we set the handle to NULL before calling libusb_open().
---
 src/libirecovery.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libirecovery.c b/src/libirecovery.c
index 9284316..6626b1d 100644
--- a/src/libirecovery.c
+++ b/src/libirecovery.c
@@ -1116,7 +1116,6 @@ IRECV_API irecv_error_t irecv_open_with_ecid(irecv_client_t* pclient, unsigned l
 	int i = 0;
 	struct libusb_device* usb_device = NULL;
 	struct libusb_device** usb_device_list = NULL;
-	struct libusb_device_handle* usb_handle = NULL;
 	struct libusb_device_descriptor usb_descriptor;
 
 	*pclient = NULL;
@@ -1150,6 +1149,7 @@ IRECV_API irecv_error_t irecv_open_with_ecid(irecv_client_t* pclient, unsigned l
 
 				debug("opening device %04x:%04x...\n", usb_descriptor.idVendor, usb_descriptor.idProduct);
 
+				struct libusb_device_handle* usb_handle = NULL;
 				int libusb_error = libusb_open(usb_device, &usb_handle);
 				if (usb_handle == NULL || libusb_error != 0) {
 					debug("%s: can't connect to device: %s\n", __func__, libusb_error_name(libusb_error));
-- 
cgit v1.1-32-gdbae